From c1dfc85457ee4d3f4c082b741e0b4ef69420285a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 9 Oct 2022 20:45:49 +0200 Subject: [PATCH] 5.10-stable patches added patches: compiler_attributes.h-move-__compiletime_-error-warning.patch fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch --- ....h-move-__compiletime_-error-warning.patch | 113 ++++++++++++++++++ ...fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch | 62 ++++++++++ queue-5.10/series | 2 + 3 files changed, 177 insertions(+) create mode 100644 queue-5.10/compiler_attributes.h-move-__compiletime_-error-warning.patch create mode 100644 queue-5.10/fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch diff --git a/queue-5.10/compiler_attributes.h-move-__compiletime_-error-warning.patch b/queue-5.10/compiler_attributes.h-move-__compiletime_-error-warning.patch new file mode 100644 index 00000000000..dad40bf73ec --- /dev/null +++ b/queue-5.10/compiler_attributes.h-move-__compiletime_-error-warning.patch @@ -0,0 +1,113 @@ +From b83a908498d68fafca931e1276e145b339cac5fb Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Mon, 2 Aug 2021 13:23:20 -0700 +Subject: compiler_attributes.h: move __compiletime_{error|warning} + +From: Nick Desaulniers + +commit b83a908498d68fafca931e1276e145b339cac5fb upstream. + +Clang 14 will add support for __attribute__((__error__(""))) and +__attribute__((__warning__(""))). To make use of these in +__compiletime_error and __compiletime_warning (as used by BUILD_BUG and +friends) for newer clang and detect/fallback for older versions of +clang, move these to compiler_attributes.h and guard them with +__has_attribute preprocessor guards. + +Link: https://reviews.llvm.org/D106030 +Link: https://bugs.llvm.org/show_bug.cgi?id=16428 +Link: https://github.com/ClangBuiltLinux/linux/issues/1173 +Signed-off-by: Nick Desaulniers +Reviewed-by: Nathan Chancellor +Reviewed-by: Kees Cook +[Reworded, landed in Clang 14] +Signed-off-by: Miguel Ojeda +Signed-off-by: Bart Van Assche +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/compiler-gcc.h | 3 --- + include/linux/compiler_attributes.h | 24 ++++++++++++++++++++++++ + include/linux/compiler_types.h | 6 ------ + 3 files changed, 24 insertions(+), 9 deletions(-) + +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -54,9 +54,6 @@ + + #define __compiletime_object_size(obj) __builtin_object_size(obj, 0) + +-#define __compiletime_warning(message) __attribute__((__warning__(message))) +-#define __compiletime_error(message) __attribute__((__error__(message))) +- + #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__) + #define __latent_entropy __attribute__((latent_entropy)) + #endif +--- a/include/linux/compiler_attributes.h ++++ b/include/linux/compiler_attributes.h +@@ -30,6 +30,7 @@ + # define __GCC4_has_attribute___assume_aligned__ (__GNUC_MINOR__ >= 9) + # define __GCC4_has_attribute___copy__ 0 + # define __GCC4_has_attribute___designated_init__ 0 ++# define __GCC4_has_attribute___error__ 1 + # define __GCC4_has_attribute___externally_visible__ 1 + # define __GCC4_has_attribute___no_caller_saved_registers__ 0 + # define __GCC4_has_attribute___noclone__ 1 +@@ -37,6 +38,7 @@ + # define __GCC4_has_attribute___no_sanitize_address__ (__GNUC_MINOR__ >= 8) + # define __GCC4_has_attribute___no_sanitize_undefined__ (__GNUC_MINOR__ >= 9) + # define __GCC4_has_attribute___fallthrough__ 0 ++# define __GCC4_has_attribute___warning__ 1 + #endif + + /* +@@ -137,6 +139,17 @@ + #endif + + /* ++ * Optional: only supported since clang >= 14.0 ++ * ++ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-error-function-attribute ++ */ ++#if __has_attribute(__error__) ++# define __compiletime_error(msg) __attribute__((__error__(msg))) ++#else ++# define __compiletime_error(msg) ++#endif ++ ++/* + * Optional: not supported by clang + * + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-externally_005fvisible-function-attribute +@@ -273,6 +286,17 @@ + #define __used __attribute__((__used__)) + + /* ++ * Optional: only supported since clang >= 14.0 ++ * ++ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-warning-function-attribute ++ */ ++#if __has_attribute(__warning__) ++# define __compiletime_warning(msg) __attribute__((__warning__(msg))) ++#else ++# define __compiletime_warning(msg) ++#endif ++ ++/* + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-weak-function-attribute + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-weak-variable-attribute + */ +--- a/include/linux/compiler_types.h ++++ b/include/linux/compiler_types.h +@@ -281,12 +281,6 @@ struct ftrace_likely_data { + #ifndef __compiletime_object_size + # define __compiletime_object_size(obj) -1 + #endif +-#ifndef __compiletime_warning +-# define __compiletime_warning(message) +-#endif +-#ifndef __compiletime_error +-# define __compiletime_error(message) +-#endif + + #ifdef __OPTIMIZE__ + # define __compiletime_assert(condition, msg, prefix, suffix) \ diff --git a/queue-5.10/fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch b/queue-5.10/fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch new file mode 100644 index 00000000000..06abc397308 --- /dev/null +++ b/queue-5.10/fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch @@ -0,0 +1,62 @@ +From 2e488f13755ffbb60f307e991b27024716a33b29 Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Tue, 16 Aug 2022 12:08:58 +0800 +Subject: fs: fix UAF/GPF bug in nilfs_mdt_destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dongliang Mu + +commit 2e488f13755ffbb60f307e991b27024716a33b29 upstream. + +In alloc_inode, inode_init_always() could return -ENOMEM if +security_inode_alloc() fails, which causes inode->i_private +uninitialized. Then nilfs_is_metadata_file_inode() returns +true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), +which frees the uninitialized inode->i_private +and leads to crashes(e.g., UAF/GPF). + +Fix this by moving security_inode_alloc just prior to +this_cpu_inc(nr_inodes) + +Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com +Reported-by: butt3rflyh4ck +Reported-by: Hao Sun +Reported-by: Jiacheng Xu +Reviewed-by: Christian Brauner (Microsoft) +Signed-off-by: Dongliang Mu +Cc: Al Viro +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + fs/inode.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -168,8 +168,6 @@ int inode_init_always(struct super_block + inode->i_wb_frn_history = 0; + #endif + +- if (security_inode_alloc(inode)) +- goto out; + spin_lock_init(&inode->i_lock); + lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); + +@@ -202,11 +200,12 @@ int inode_init_always(struct super_block + inode->i_fsnotify_mask = 0; + #endif + inode->i_flctx = NULL; ++ ++ if (unlikely(security_inode_alloc(inode))) ++ return -ENOMEM; + this_cpu_inc(nr_inodes); + + return 0; +-out: +- return -ENOMEM; + } + EXPORT_SYMBOL(inode_init_always); + diff --git a/queue-5.10/series b/queue-5.10/series index 93badcde7aa..63127562e16 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -7,3 +7,5 @@ mm-gup-fix-the-fast-gup-race-against-thp-collapse.patch powerpc-64s-radix-don-t-need-to-broadcast-ipi-for-radix-pmd-collapse-flush.patch wait_on_bit-add-an-acquire-memory-barrier.patch provide-arch_test_bit_acquire-for-architectures-that-define-test_bit.patch +fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch +compiler_attributes.h-move-__compiletime_-error-warning.patch -- 2.47.3